Following Russian hacker indictment, a look at Massachusetts' election security

Eli Sherman Wicked Local @Eli_Sherman

Wednesday

Jul 25, 2018 at 11:00 AMSep 26, 2018 at 10:47 AM

With midterm elections fast approaching, security of voting systems and voter data has emerged as a major concern across the country.

“We’ve been working on this for some time and we’ve been aware of the (cyberattack) issues since the 2016 election,” said Debra O’Malley, spokeswoman for Massachusetts Secretary of the Commonwealth William Galvin.

Public scrutiny surrounding election security intensified in July after a grand jury indicted 12 Russian hackers, accusing them of interfering in U.S. elections two years ago.

“The object of the conspiracy was to hack into the computers of U.S. persons and entities involved in the 2016 U.S. presidential election, steal documents from those computers, and stage releases of the stolen documents to interfere with the 2016 U.S. presidential election,” according to the indictment.

The indictment largely focuses on the presidential campaign, but hackers also targeted state and local election boards, successfully stealing the personal information of at least 500,000 voters, according to the indictment. The stolen information included names, addresses, partial Social Security numbers, dates of birth and driver’s license numbers.

Massachusetts is not named in the indictment, and O’Malley said the U.S Department of Homeland Security had not contacted state election officials about it.

Nonetheless, top national intelligence officials have said all 50 states were likely targeted, which Russia is likely to do again in the 2018 midterm elections. On July 19, Microsoft reported hackers with ties to Russia had already targeted three separate congressional candidates.

In Massachusetts, state primaries are scheduled for Sept. 4. O’Malley says security measures are in better shape than many other states in part because of its somewhat antiquated system.

“We’re in a good position, luckily, because our state voter database is on a closed network,” O’Malley said.

A closed network means local and state election offices are hardwired together -- and not connected to the internet -- making it incredibly difficult to access without physically tapping into the system. Additionally, Massachusetts benefits from still using paper ballots, a traditional voting method that helps ensure accuracy and safeguard against cyberattacks.

“It’s turned out to be in our benefit,” O’Malley added.

Other states, including Delaware, Georgia, Louisiana, New Jersey and South Carolina, have moved entirely to electronic voting machines, first touted as a way to reduce fraud, boost voter turnout and cut costs through increased efficiency. In the wake of the 2016 election, however, many are rethinking the technology, as the machine are more susceptible to hacks. And without a paper record, it’s difficult to audit and confirm results.

“It is nearly impossible to determine if paperless voting machines have been hacked and if vote tallies have been altered,” according to a July report by U.S. Committee on House Administration Democrats.

Massachusetts is mandated to audit 3 percent of precincts after presidential elections, which election watchdogs say is a good step toward improving election security. There’s no requirement to audit midterm elections.

Nonetheless, Marie Y. Ryan, president of the Massachusetts Town Clerks Association, went so far as to say there are “no issues” related to cybersecurity in Massachusetts elections.

“As far as the cyber security, there are no issues in Massachusetts, unlike other states, because our systems (and) equipment are not connected to the internet at all,” Ryan wrote in an email.

Massachusetts state and local election officials have begun experimenting with more-advanced technology systems, however, including “e-poll books,” sometimes called “poll pads.” The e-poll books, which look like tablets, are not used to count votes. But the databases kept on the machines maintain sensitive voter information, including names, addresses, political parties, dates of birth and sometimes voter identification numbers. And while conceptually simple, and designed to improve the overall voting experience, e-poll books are potentially vulnerable to cyberattacks.

“Some of those (e-poll books) are internet and Bluetooth-enabled, so they could be tampered with,” said Pam Wilmot, executive director of Common Cause Massachusetts, a government watchdog. “They are not directly connected to the central voting registry … but they do later get uploaded, so there is some vulnerability.”

Some Massachusetts municipalities have already begun using the e-poll books to check in voters for Town Meetings, including in Sherborn, Canton and Tewksbury. But local officials are waiting for state guidance on whether to use them in the upcoming elections.

“The state Election Division has not yet to certify them for use at elections due [to] possible issues since they could connect to Wi-Fi,” wrote Ryan, who is also the Great Barrington town clerk. “This is something that is being worked on presently. We have total confidence in the state Election Division to come up with a way to be able to use the (e-poll books) for elections.”

With an eye to further bolster election security throughout the state, Massachusetts applied for and received a $7.9 million federal grant, which requires a 5 percent state match. The grant was part of a $380 million federal grant program made available to states to improve the administration of elections, enhance technology and make election security improvements.

There’s no requirement, however, to spend the money before the midterm elections and state officials are not banking on it. The state would not share its proposal for the funds with Wicked Local, saying the plan still needs federal approval.

“Obviously, we’re not depending on the funding to prepare,” O’Malley said.

On July 19, the Republican-controlled U.S. House moved to eliminate future funding for states to strengthen election security, much to the chagrin of House Democrats, including Massachusetts Rep. Jim McGovern of Worcester.

“Does anybody really believe that these attacks are going to stop?” McGovern asked hypothetically on the House floor. “This is about protecting our democracy, and I don’t understand why this is controversial.”

Beyond the public sector, private, political and nonprofit organizations are also custodians of extensive databases of voter information, making them also susceptible to cyberattacks.

The hackers stole thousands of documents from the Democratic Party, ultimately releasing troves of private information and emails. The leak, albeit two years ago, wreaked havoc in the party and its members are not quick to forget.

“In the wake of the attacks on our elections and the hacking of our colleagues in Washington by the Russian government, we’ve taken active steps to step up our security measures,” said Emily Fitzmaurice, communications director for the Democratic Party. “The security of our work has been and continues to be a top priority.”

Eli Sherman is an investigative and in-depth reporter at Wicked Local and GateHouse Media. Email him at esherman@wickedlocal.com, or follow him on Twitter @Eli_Sherman.